Hexbyte Hacker News Computers jcs/login_duress

login_duress is aBSD authentication
module providing duress functionality upon authentication.
The concept is modeled after thepam_duress
module for PAM.

It essentially adds a per-user backdoor password which, when entered instead of
the user’s normal password, will also execute a particular command as that
user.

Hexbyte Hacker News Computers Installation

Compile and install the module with make install.

Hexbyte Hacker News Computers Database Setup

Create a duress database at /etc/duress in the format of:

user:encrypted password:duress command

The encrypted password hash can be generated with encrypt -b10 -p.

The command in the duress file will be executed as the user logging in
(via sh -c), so any functionality requiring elevated privileges should usedoas or sudo configured to allow the command without a password.

Once the duress database has been created, make sure its ownership is correct:

# chown root:wheel /etc/duress
# chmod 600 /etc/duress

duress can now be activated as the default authentication type in/etc/login.conf by changing auth-defaults (or by assigning a new auth key
for the specific user class):

auth-defaults:auth=duress:

This will allow duress logins when authenticating via login(1), doas(8),sudo(8), xenodm(1), ssh(1) (if you allow password authentication, which
you shouldn’t), and everything else that uses BSD authentication on the system.

Hexbyte Hacker News Computers Example

Note: doas uses the last matching entry, so if you also have the default
“permit persist keepenv :wheel“, the nopass entry must be added after thatpermit line.

Now when the user jcs logs in with the password that matches the hash in/etc/duress instead of the normal password database, the command/usr/sbin/doas /sbin/halt -pnq will be run, immediately powering off the
machine.

This is not a particularly subtle example, so perhaps a better one might be to
run a script that just deletes (via rm -P) the user’s sensitive files such
as SSH keys, e-mail archives, etc.

Perhaps an even more subtle example is to run just /usr/bin/true upon duress
login.
This does nothing but allow one to login with an alternative password in the
scenario where some agency is requiring the user to reveal their password so
they can login and poke around, but that user’s normal system password is also
used on other, more sensitive systems and cannot be revealed.